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About This Guide 


This guide is for Novell? eDirectory™, DirXML®, and GroupWise? administrators who are using 
the DirXML Driver for GroupWise. 


The driver provides data integration between users in eDirectory and GroupWise accounts in the 
GroupWise domain. For example, the driver can create e-mail accounts automatically when an 
employee is hired. The driver can also disable an e-mail account when a user is no longer active. 
This configurable solution gives organizations the ability to increase productivity and streamline 
business processes by integrating GroupWise and eDirectory. 


The guide contains the following sections: 
+ Chapter 1, “Introducing the DirXML Driver for GroupWise,” on page 9 
+ Chapter 2, “Installing and Configuring the DirXML Driver for GroupWise,” on page 13 
+ Chapter 3, “Using Policies and Filters,” on page 29 
+ Chapter 4, "Troubleshooting the DirXML Driver for GroupWise,” on page 51 
+ Appendix A, “Class and Attribute Descriptions,” on page 55 
+ Appendix B, “Upgrading from the 1.0a Version of the Driver,” on page 61 


Additional Documentation 


For documentation on using DirXML and the other DirXML drivers, see the Identity Manager 
Documentation Web site (http://www.novell.com/documentation/lg/dirxm120). 


Documentation Updates 


For the most recent version of this document, see the Drivers Documentation Web site (http:// 
www.novell.com/documentation/lg/dirxmldrivers/index.html) 


Documentation Conventions 


The term driver refers to all components of the DirXML Driver for GroupWise and not to any one 
particular component. 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol e, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


User Comments 


We want to hear your comments and suggestions about this manual and the other documentation 
included with Novell Nsure™ Identity Manager. To contact us, send e-mail to 
proddoc@novell.com. 


About This Guide 7 


8 DirXML Driver for GroupWise Implementation Guide 


Introducing the DirXML Driver for GroupWise 


The DirXML® Driver for GroupWise? is designed to synchronize user data between Novell? 
eDirectory™ and GroupWise, and to manage Group Wise accounts and account information. When 
a user in eDirectory is modified, created, renamed, moved, or deleted, the driver synchronizes the 
changes with the GroupWise account. 


Because eDirectory is the authoritative data source, any data created, modified, renamed, and 
deleted in eDirectory synchronizes to GroupWise. 


The driver runs on the Linux*, Windows* NT*/2000/XP and NetWare® platforms. When used in 
conjunction with the Remote Loader, the driver can connect to a domain database on the Solaris 
platform. 


New Features 


The following section contains information about the new driver features, as well as new features 
provided in Novell Nsure™ Identity Manager. 


Driver Features 


This version of the driver provides the following new functionality: 
+ You can now install the driver locally on Linux. 
+ A driver running on NetWare server can connect to a domain on a remote NetWare server. 
+ A new matching rule has been added, as well as new classes and attributes to the schema. 
+ You can now synchronize eDirectory groups with GroupWise distribution lists. 
+ You can generate <add> events to create nicknames. 
+ You can Modify Global Configuration Values (GCVs) to control driver behavior. 


+ You can obtain record counts from <query> operations. 


Identity Manager Features 


For more information on the new features of Identity Manager, refer to the Nsure Identity Manager 
2 Administration Guide (http://www.novell.com/documentation/lg/dirxm120/admin/data/ 
alxnk27.html). 
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Methods for 


Managing GroupWise Accounts 


Before the DirXML driver for GroupWise was developed, you managed GroupWise accounts in 
conjunction with eDirectory entirely with the ConsoleOne® GroupWise snap-ins. Now, you can 
also use the driver to manage certain components of GroupWise accounts. For instance, you can 
automatically provision new users from eDirectory or your HR system through the use of Identity 
Manager. 


We recommend that you make account changes in eDirectory. You should use either iManager or 
ConsoleOne (without the Group Wise snap-ins) to administer users in eDirectory, then let the 
driver synchronize any changes into Group Wise. 


Do not use the ConsoleOne Group Wise snap-ins for anything the driver is configured to do. When 
you have the driver installed, if you manage GroupWise user accounts with the ConsoleOne 
Group Wise snap-ins, it results in redundant synchronization of data because data changes are 
synchronized by both the snap-ins and the driver. Redundant synchronization of data might result 
in warnings or errors in the Identity Manager logs. However, these warnings or errors can usually 
be ignored. 


IMPORTANT: If you create eDirectory users with ConsoleOne, be sure to use a ConsoleOne without the 
GroupWise snap-ins installed. The ConsoleOne snap-ins for GroupWise operate after the driver and remove 
some vital data from eDirectory. This has been fixed in the snap-ins released with GroupWise 6.5. 


You should use the GroupWise ConsoleOne snap-ins to manage these components of GroupWise 
accounts: 


¢ Distribution List administration 

+ GroupWise system-wide parameters, such as nickname expiration date 
+ X.400 information 

+ Resources 

+ Mailbox library maintenance 

+ Client options and preferences 

+ Grafting 


+ Backup and restore 


Driver Components 


GroupWise API 


The driver uses the following components: 
+ GroupWise API 
+ Driver shim 


+ Driver configuration 


This API is necessary for the driver to perform the required actions in GroupWise. This API is 
installed together with the driver shim. 
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Driver Shim 


A Java* driver shim that communicates between the DirXML engine and the GroupWise API. 
This driver shim is installed together with the GroupWise API. 


Driver Configuration 


This XML file contains all eDirectory objects necessary for the driver, including the appropriate 
policies for adding, modifying, and deleting or disabling GroupWise accounts. In addition, the 
driver configuration file controls the information being sent from eDirectory to GroupWise. The 
driver configuration file should be installed to the computer where your management tool 
(¡Manager) resides. 


Publisher Channel Issues 


Objects in eDirectory also contain GroupWise attributes. The driver filter specifies the classes and 
attributes that GroupWise publishes to eDirectory. We do not recommend making changes to the 
driver filter regarding which attributes are published to eDirectory. 


Subscriber Channel Issues 


GroupWise accounts are administered through eDirectory. Driver customizations are usually done 
in the Subscriber channel or at the driver level. The Subscriber channel receives commands from 
the DirXML engine and executes those commands in GroupWise. The Subscriber channel is used 
to synchronize eDirectory events with GroupWise. It watches for additions, modifications, 
renames, moves, and deletes in eDirectory and creates events in GroupWise to reflect those 
changes. 


You can add to the base configuration that comes with the driver. However, do not remove or 
modify preconfigured attributes from the Subscriber filter or the Mapping policy. 
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Installing and Configuring the DirXML Driver for 
GroupWise 


This section helps you do the following: 
+ “Meeting the Requirements for the Driver” on page 13 
+ "Planning for the Installation” on page 13 
+ “Installing the Driver” on page 20 
+ “Upgrading from the 2.1 Version of the Driver” on page 23 
+ “Post-Installation Tasks” on page 24 


+ “Additional Considerations” on page 26 


Meeting the Requirements for the Driver 


This section lists the software requirements for the DirXML® Driver for Group Wise? 
U Novell Nsure™ Identity Manager 2 DR1 
U Novell Client™ 4.9 or later for Windows NT/2000 
Q We recommend using GroupWise 6.5 


You can use earlier versions of GroupWise, but some new features may not be supported in 
earlier releases. 


Planning for the Installation 


Before you install and use the driver, you must plan a local or remote installation and define user 
accounts for GroupWise driver access. 
Understanding a Local Installation 


A local installation installs the driver on the same Windows NT/2000, Linux, or NetWare? 
computer where you installed Identity Manager and eDirectory™. The Group Wise domain 
database can either be on the same computer or a different computer. 
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Local System Configuration 


Option 1 


Linux/NetWare/NT/2000 


Option 2 y Synchronization \ 


Linux/NetWare/NT/2000 


If... 


The GroupWise driver is running on a NetWare 
server... 


— å 


Linux/NetWare/NT/2000 


Then... 


The GroupWise server (domain database) must 
also exist on NetWare. 


The GroupWise driver is running a Linux server, 
and the GroupWise server (domain database) is 
on NetWare. .. 


Mount the GroupWise server with ncpfs. 


The server must be mounted before the driver can 
run. Use a mount point to access the GroupWise 
server. 


The GroupWise driver is running a Linux server, 
and the GroupWise server (domain database) is 
on Windows or Linux .. . 


NOTE: NFS is not supported. 


Understanding a Remote Installation 
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Mount the GroupWise server with smbfs. 


The server must be mounted before the driver can 
run. Use a mount point to access the GroupWise 
server. 


A remote installation installs the driver on a different computer than the one where Identity 

Manager and eDirectory are installed. You should use this configuration when Identity Manager 
and eDirectory are installed on a Solaris* platform. The driver is installed with the Remote Loader 
on a Linux, NetWare, or Windows NT/2000 system. The GroupWise domain database can be on 


any of the systems or on a separate system. 


GroupWise can be installed on a separate system, on the system where the DirXML engine resides, 
or on the driver system (two-system installation); or all components can be installed on a single 


Linux, NetWare, or Windows NT/2000 system. 
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Remote System Configuration 


Option 1 re 9 


a = 


Linux, Solaris, NetWare Linux/NetWare/NT/2000 


Option 2 y Synchronization \ y Synchronization \ 


Linux, Solaris, NetWare Linux/NetWare/NT/2000 Linux/NetWare/NT/2000 


Configuring Driver Authentication 


In order for the driver to authenticate to the GroupWise domain, the driver must first authenticate 
to its local operating system, and then authenticate to the system holding the GroupWise domain. 
(If the driver is on the same computer as the domain database or running on Linux, you do not need 
to configure authentication.) 


As part of configuring authentication, you create the same username and password on each system, 
and assign the account administrative rights. 


IMPORTANT: To establish a connection between systems, you must create user accounts with the same 
username and password for each system. 


The following topics help you configure authentication: 


+ “Creating a User Account for the System Containing the Driver for Windows NT/2000/XP” 
on page 15 


+ “Creating a User Account for the System Containing the GroupWise Domain” on page 18 


Creating a User Account for the System Containing the Driver for Windows NT/2000/XP 


As part of configuring authentication, you should create the same username and password on the 
system containing the driver, and assign the account administrative rights. 


After you have created the user account for the driver system, refer to “Creating a User Account 
for the System Containing the GroupWise Domain” on page 18. 
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Defining an Account when the Driver Is on Windows NT 


1 From the Start Menu, select Programs > Administrative Tools (Common), then click User 
Manager. 


2 Select User > New User, then specify a new username. 
The user name must be the same on both systems. 
3 Specify a case-sensitive password. 
The password must be the same on both systems. 
4 Select Password Never Expires, then deselect all other boxes. 
5 Select Groups, select Add Administrators to the "Member of", then click OK. 
IMPORTANT: This user should be part of the administrator group. 
6 Click OK. 
7 Select the user you just created. 
8 Select Policies > User Rights. 
9 Select the Show Advanced User Rights check box. 
10 Select Log on as a Service from the Rights drop-down list. 
11 Click Add, then click Show Users. 
12 Select the user you just created. 
13 Click Add, then click OK. 
14 Click OK. 
15 Close the User Manager window. 
16 Restart the system. 


Defining an Account when the Driver Is on Windows 2000 


1 From the Start Menu, click Settings > Control Panel > Administrative Tools, then click 
Computer Management. 


2 In the Tree view, open Local Users and Groups. 
3 Click Users, click Action, then click New User. 
4 Specify a username, and a case-sensitive password. 
The username and password must be the same on both systems. 
5 Click Password Never Expires, click Create, then click Close. 
6 Deselect all other boxes. 
7 In the Tree view, select Groups. 
8 Double-click Administrators. 
9 Click Add. 
10 Click Add to select the user you just created, then click OK. 
11 Click OK. 


12 Close the Computer Management window. 
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13 
14 
15 
16 
17 
18 
19 
20 
21 
22 


Select Local Security Policy from the Administrative Tools window. 

Open Local Policies in the Tree view. 

Select User Rights Assignment. 

Double-click Log On As a Service. 

Make sure your user is displayed and has the “effective rights” box checked. 
Select Add, specify the user you just created, click Add, then click OK. 
Click OK. 

Close the Local Security Settings window. 

Close the Administrative Tools window. 


Restart your computer. 


Defining an Account when the Driver Is on Windows XP 


To define a user account when the driver is on Windows XP: 


1 


2 


From the Start Menu, click Control Panel, Administrative Tools, then click Computer 
Management. 


In the Tree view, open Local Users and Groups. 

Click Users > Action, then click New User. 

Specify a username, and a case-sensitive password. 

The username and password must be the same on both systems. 

Deselect all boxes except Password Never Expires, click Create, then click Close. 
In the Tree view, select Groups. 

Double-click Administrators. 


Click Add. 


Specify the user you just created, click Check Names to verify the name, then click OK. 


Click OK. 

Close the Computer Management window. 

Open Local Security Policy from the Administrative Tools window. 
Open Local Policies in the Tree view. 

Select User Rights Assignment. 

Double-click Log on As a Service. 

Select Add User or Group, then specify the user you just created. 
Click Check Names to verify the name, then Click OK. 

Click OK. 

Close the Local Security Settings window. 

Close the Administrative Tools window. 


Restart your computer. 
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Defining an Account when the Driver Is on Windows 2000 AD Domain Controller 


1 From the Start Menu, click Settings > Control Panel > Administrative Tools, then click Active 
Directory Users and Computers. 


2 In the Tree view, click Users, click Action, click New, then click User. 
3 Specify the full name, then specify the user login name. 


The user login name is used in the driver configuration. The user name must be the same on 
both systems. 


4 Click Next. 
Specify a case-sensitive password. 
The password must be the same on both systems. 
6 Select Password Never Expires. 
7 Click Next, then click Finish. 
8 In the Tree, select Builtin, click Administrators > Members, then click Add. 
9 Select the full name of the user you entered in step 3, click Add, then click OK. 
10 Click OK. 
11 Close the Active Directory Users and Computers window. 
12 In the Administrative Tools window, select Domain Controller Security Policy. 
13 In Tree, expand the Security Settings, click Local Policies, then User Rights Assignment. 


14 Select Log On As a Service and select Define These Policy Settings. Click Add twice, then 
click Browse. 


15 Browse to and select the user you created in step 3. Click Add, click OK, then click OK again. 
16 Click OK and close the Domain Controller Security Policy window. 

17 In the Administrative Tools window, select Local Security Policy. 

18 In Tree, expand Local Policies, then click User Rights Assignment. 


19 Select Logon as a service, select Local Policy Settings for the user created in step 3, then click 
OK. 


20 Close the Local Security Policy window. 
21 Restart the system. 


Creating a User Account for the System Containing the GroupWise Domain 
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As part of configuring authentication, you should create a username and password on the system 
containing the GroupWise domain and assign the account administrative rights. 


IMPORTANT: To establish a connection between the driver and the GroupWise domain system, you should 
create user accounts with the same username and password for each system. 


If the GroupWise domain exists on Linux, and the driver is on Windows NT/2000, the Linux 
account must be created in Samba. For all other platforms, use the following instructions. 


If you have not created the user account for the driver system, refer to “Creating a User Account 
for the System Containing the Driver for Windows NT/2000/XP” on page 15. (If the driver runs 
on Linux or NetWare, you do not need to create this user account.) 
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Defining an Account when the GroupWise Domain Is on Windows NT 


1 
2 


16 
17 


From the Start Menu, select Programs > Administrative Tools (Common) > User Manager. 
Select User > New User > specify a name. 

The user name must be the same on both systems. 

Specify a case-sensitive password. 

The password must be the same on both systems. 

Select Password Never Expires and deselect all other boxes. 

Select Groups > Add Administrators to the "Member of", then click OK twice. 
Click OK to close the User Manager window. 

Double-click the My Computer icon on the desktop. 

Right-click the drive that contains the GroupWise Domain > Properties > Sharing. 
Select New Share. 

Specify a share name to be used by the drive. 

Restart the system. 

Select Permissions > Everyone > Remove menu. 

Select Add. 

Select the user you added above. 

Click Add, then click OK. 

Select Permissions: Full Control, then click OK three times. 


Restart the system. 


Defining an Account when the GroupWise Domain Is on Windows 2000 


1 


From the Start Menu, click Settings > Control Panel > Administrative Tools > Computer 
Management. 


In the Tree view, open Local Users and Groups > Users > Action > New User. 
Specify a username. 

The username must be the same on both systems. 

Specify a case-sensitive password. 

Select Password Never Expires, and then deselect all other boxes. 

Click Create, then click Close. 

Close the Windows Manager window. 

Double-click the My Computer icon on the desktop. 

Right-click the drive that contains the GroupWise Domain > Properties > Sharing. 
Select New Share. 

Specify a share name to be used by the drive. 

Restart the system. 


Select Permissions > Everyone > Remove menu. 
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14 Select Add. 

15 Select the user you added above. 

16 Click Add, then click OK. 

17 Select Permissions: Full Control, then click OK three times. 


18 Restart the system. 


Defining an Account when the GroupWise Domain Is on NetWare 


If the driver is running on NetWare or Windows NT/2000 and the GroupWise domain is on a 
remote NetWare server, it's especially important to verify that this user has rights to the 
GroupWise directory tree. If access is not granted to this user, changes do not replicate to the rest 
of the GroupWise system. 


1 In ConsoleOne, create a user in NetWare with the same username and password as the 
Windows user account. 


2 Give the user Read, Write, Create, Erase, Modify, and File Scan access to the GroupWise 
primary domain directory and subdirectories. 


Installing the Driver 


You install the driver as part of the Novell Nsure Identity Manager 2 installation program. For 
installation instructions, refer to the Novel! Nsure Identity Manager 2 Administration Guide (http:/ 
/www.novell.com/documentation/lg/dirxml20/index.html). 


This section explains how to import the driver configuration for the DirXML Driver for 
Group Wise. Importing the driver configuration also creates the driver object. After you have 
imported the configuration, you can use iManager to configure and manage the driver. 


In this section, you will find information for: 
+ “Importing the Driver Configuration” on page 20 
+ “Viewing Driver Parameters” on page 21 
+ “Modifying Global Configuration Values” on page 22 
+ “Activating the Driver” on page 24 


Importing the Driver Configuration 


The Create Driver Wizard helps you import the basic driver configuration file for GroupWise. This 
file creates and configures the objects and policies needed to make the driver work properly. The 
following instructions explain how to create the driver and import the driver’s configuration. 


1 In Novell iManager, click DirXML Utilities > Create Driver. 
2 Select a driver set. 


If you place this driver in a new driver set, you must specify a driver set name, context, and 
associated server. 


3 Select Import a Driver Configuration from the Server, then select GroupWise.xml. 


The driver configuration files are installed on the Web server when you install Identity 
Manager. During the import, you will be prompted for the driver”s parameters and other 
information. Depending on the configuration options you select, you will be prompted for 
some combination of the following information: 
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+ 


+ 


* 


Driver name 

Whether or not to use Role-based Entitlements 

The DN of the default GroupWise post office 

The version of the Group Wise Domain database 

The server OS of the driver and the server OS of the GroupWise domain 
Whether or not to run the driver locally or remotely 

The name or address of the server containing the Group Wise primary domain 
The path to the directory containing the GroupWise primary domain database 


The username the driver uses to authenticate to the remote server containing the 
Group Wise domain database 


The password for the username 
The eDirectory context of the username 


What action you want the GroupWise driver to take when an eDirectory user is created 
with a GroupWise account entitlement 


What action you want the GroupWise driver to take when an eDirectory user is disabled 
with a GroupWise account entitlement 


The host name or IP address and port number where the Remote Loader Service runs 
The Driver Object password used by the Remote Loader Service 


The Remote Loader password 


4 After entering the import parameters, click OK to import the driver. 


When the import is finished, you can define security equivalences and exclude administrative 
roles from replication. 


The driver object must be granted sufficient eDirectory rights to any object it reads or writes. 
You can do this by granting Security Equivalence to the driver object. The driver must have 
Read/Write access to users, post offices, resources, and distribution lists, and Create, Read, 
and Write rights to the post office container. Normally, the driver should be given security 
equal to Admin. 


5 Review the driver objects in the Summary page, then click Finish. 


Keep in mind that installing the driver software lets you get the driver up and running, but it does 
not install the product license. Without the license and activation, the driver will not run after 90 
days. For more information, refer to “Activating Novell Identity Manager Products”. 


Viewing Driver Parameters 


During the driver import process, you entered the driver configuration values. Use the following 
procedure to view or modify these values. 


1 In iManager, click DirXML Management > Overview. 


2 Browse to the driver set where the GroupWise driver exists. 


3 Click the driver status icon, then click Edit Properties. 


4 Click the Driver Configuration tab, then modify any of the parameters. 
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Modifying Global Configuration Values 


GCV Name 
GroupWise Domain 
Database Version 
Synchronize Groups 


Create Nicknames 


Reassign Resource 
Ownership 


Default Resource 
Owner User ID 


Create Accounts 
During Migration 


Action on eDirectory 
User Delete 
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Global configuration values (GCVs) are new settings that are similar to driver parameters. Global 
configuration values can be specified for a driver set as well as an individual driver. Ifa driver does 
not have a GCV, the driver inherits the value for that GCV from the driver set. 


GCVs allow you to specify settings for new Identity Manager features such as password 
synchronization and driver heartbeat, as well as settings that are specific to the GroupWise driver. 
For more information, refer to “Using Global Configuration Values” in the Novell Nsure Identity 
Manager 2 Administration Guide. 


1 In iManager, click DirXML Management > Overview. 

2 Browse to the driver set where the GroupWise driver exists. 

3 Click the driver status icon, then click Edit Properties. 

4 Click the Global Config Values tab, then modify any of the following GCVs. 


Description 


The version of the GroupWise domain database to which this driver should connect. 


Select True if you want this driver to synchronize eDirectory groups to GroupWise distribution lists. 
Otherwise, select False. 


Select True to specify that the driver creates GroupWise nicknames when GroupWise accounts are 
renamed or moved to another post office. Otherwise, select False. 


Select True to specify that this driver should reassign ownership of resources when GroupWise 
accounts are disabled or expired. Otherwise, select False. 


If you select True, the resources are assigned to the default User ID you specify in the next parameter. 
This setting does not apply when a GroupWise account is deleted because the resources must be 
reassigned. The default is False. 


Specify the prefix of the default user who will become the new owner of resources that are reassigned. 
The default is IS admin. 


You must specify this name even when the Reassign Resource Ownership option is False. When a 
GroupWise Account is deleted, its resources are assigned to this account. If the default User ID does 
not have a GroupWise account in the post office of the deleted account, an account is created. 


IMPORTANT: The driver does not start if a default user prefix is not specified. 


Select True or False to specify that this driver should create new GroupWise accounts for users without 
a current account during a migration from eDirectory. 


Migration causes Identity Manager to examine every object specified. When an object does not have a 
driver association, the Create policy is applied. If the object meets the Create rule criteria, the object is 
passed to the driver as an Add event. Otherwise, when you specify True, the driver creates a GroupWise 
account. When False is specified, the add event is ignored and the driver issues a warning that this 
option is set to False. The default value is False. 


When a user is deleted in eDirectory, specify the action you want the driver to take on an associated 
GroupWise account. Choose from Delete the GroupWise Account, Disable the GroupWise Account, 
Expire the GroupWise Account, or Disable and Expire the GroupWise Account. 
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GCV Name Description 


Action on eDirectory When a user login in eDirectory is expired/unexpired, specify the action you want the driver to take on 
User Expire/ an associated GroupWise account. Choose from Expire/Unexpire the GroupWise Account, Disable/ 
Unexpire Enable the GroupWise Account, or Disable/Enable and Expire/Unexpire the GroupWise Account. 


Action on eDirectory When a user login in eDirectory is disabled/enabled, specify the action you want the driver to take on an 
User Disable/Enable associated GroupWise account. Choose from Expire/Unexpire the GroupWise Account, Disable/Enable 
the GroupWise Account, or Disable/Enable and Expire/Unexpire the GroupWise Account. 


Remove GW Select True if you want the driver to remove the GroupWise account from all distribution lists when the 
Account from All account is expired. Otherwise, select False. 

Distribution Lists on 

Expire 

Remove GW Select True if you want the driver to remove the GroupWise account from all distribution lists when the 
Account from All account is disabled. Otherwise, select False. 

Distribution Lists on 

Disable 


Publisher Heartbeat Specify the Publisher channel heartbeat interval in minutes. Enter 0 to disable the heartbeat. 
Interval 


Setthe Initial/Default If True, the GroupWise initial/default password is set when an account is created. The initial password 


GroupWise value is specified in the Create Policy. If False, the initial password is not set. 
Password on 
Account Creation GroupWise has two passwords, the initial password and regular password. In GroupWise, the initial 


password is stored in clear text and can be seen by an administrator. The regular password is encrypted 
and can not be viewed. When set, the regular password is used by GroupWise instead of the initial/ 
default password. When a GroupWise user changes his or her password, it is stored as the regular 
password. In the interest of security, the initial password is never set to a password sent from eDirectory 
(nspmDistributionPassword attribute). 


Synchronize the If True, allows passwords to flow from eDirectory to GroupWise. If False, the regular password is not 
eDirectory set. GroupWise has two passwords, the initial password and the regular password. 


Password to the 
GroupWise Regular In GroupWise, the initial password is stored in clear text and can be seen by an administrator. The 


Password regular password is encrypted and cannot be viewed. When set, the regular password is used by 
GroupWise instead of the initial/default password. When a GroupWise user changes his or her 
password, it is stored as the regular password. In the interest of security, the initial password is never 
set to a password sent from eDirectory (nspmDistributionPassword attribute). 


Connected System The name of the connected system, application, or DirXML driver. This value is used by the e-mail 
or Driver Name notification templates. 


Upgrading from the 2.1 Version of the Driver 


Use the steps in this section to upgrade from the DirXML Driver 2.1 for GroupWise. You might 
want to export your existing driver configuration before upgrading. (Your existing driver 
configurations are converted to the Identity Manager 2 format when you modify policies.) 


To upgrade from version 2.1: 
1 In Novell iManager, click eDirectory Administration > Modify Object. 
2 Specify the driver object’s name, then click OK. 
3 Scroll down to the Startup Option section, click Manual, then click OK. 


4 Shut down eDirectory or the Remote Loader. 
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5 Run the Identity Manager 2 installation program and select the GroupWise driver. 


You install the driver over the existing 2.1 driver files. This step updates all necessary driver 
files. Depending on where your ¡Manager server resides, you might need to copy the driver 
configuration to that server (if it is a remote server.) 


When the installation completes, reboot the computer where the driver exists. Also restart 
eDirectory or the Remote Loader. 


You should delete GWADJ1.DLL from any DirXML-related directories. If the file exists in 
any other directory in the search path, you might encounter problems. Do not delete this file 
from the ConsoleOne® directory. 


You should also delete gwenvla.DLL and xgbas10a.DLL from the Novell\NDS directory 
after installing the update. Do not remove these files from the \Winnt\system32 directory if 
they exist there. 


8 Migrate from eDirectory if the driver set or driver name changed. 


Activating the Driver 


Activation must be completed within 90 days of installation or the driver will not run. 


For activation information, refer to “Activating Novell Identity Manager Products” in the Novell 
Nsure Identity Manager 2 Administration Guide (http://www.novell.com/documentation/lg/ 
dirxml20/index.html). 


NOTE: If you are upgrading from the 2.1 version of the driver, you do not need to reactivate the driver. 


Post-Installation Tasks 
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This section outlines tasks you need to complete after a local or remote installation. 


+ 


+ 


* 


+ 


“Modifying Policies” on page 25 

“Modifying Global Configuration Values” on page 22 
“Starting the Driver” on page 25 

“Verifying That the Driver is Working Properly” on page 25 
“Migrating eDirectory Users to GroupWise” on page 26 
Installation on NetWare 


If you installed the driver on the same NetWare server where the GroupWise agents exist and 
run, you need to modify the autoexec.ncf file. Open the file and locate the following line: 


SEARCH ADD SYS:\GRPWISE\AGENTS 


The \GRPWISE\AGENTS directory specifies where the GroupWise agents are installed. 
Immediately below this line, you should see the following: 


PROTECT SYS:\GRPWISE\AGENTS\GRPWISE.NCF 


This SYS line might already exist. If it does, do not add it again, but ensure that “PROTECT” 
proceeds the command. 


You should replace \GRPWISE\AGENTS with the path to where the Group Wise agents are 
installed on your server. 
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Modifying Policies 


Before you start the driver and use it to synchronize data between eDirectory and GroupWise, you 
must modify the driver’s policies and filters for your specific business rules. See Chapter 3, “Using 
Policies and Filters,” on page 29 for complete information. 


Starting the Driver 
1 In iManager, click DirXML Management > Overview. 
2 Do one of the following options: 


+ Click Search Entire Tree to search your entire tree for the Driver set that contains the 
driver you want to start, then click Search. 


+ Click Search in Container, enter or browse for and select the container that holds the 
driver you want to start, then click Search. 


3 Click the DirXML Driver for GroupWise driver status button, then click Start Driver. 


NOTE: It is important not to disable the driver. When a driver is disabled, eDirectory events are not 
cached for the driver. 


Verifying That the Driver is Working Properly 


After the driver is installed, the driver configuration is imported, and the rules and style sheets have 
been customized, you should test the driver to see that it is working properly. (For more 
information on customizing rules and style sheets, see Chapter 3, “Using Policies and Filters,” on 
page 29.) 


Use the following steps to verify that the driver is working properly. When properly installed and 
configured, the driver synchronizes the changes to GroupWise. Use ConsoleOne with the 
GroupWise snap-ins to verify that the changes have been synchronized with GroupWise. 


To verify the driver is working properly: 
1 In Novell iManager, click DirXML Management > DirXML Overview. 
2 Do one of the following options: 


+ Click Search Entire Tree to search your entire tree for the Driver set that contains the 
driver, then click Search. 


+ Click Search in Container, and enter or browse for and select the container that holds the 
driver, then click Search. 


3 Click the DirXML Driver for GroupWise driver status button > click Start Driver. 
4 Add a new user to eDirectory. 
You need to specify only the Name and Surname attributes for this user. 
5 Open ConsoleOne with the GroupWise snap-ins. 
6 Verify that a new GroupWise account was created in the correct post office. 
7 Using Novell ¡Manager, delete the user from eDirectory. 


8 Using ConsoleOne with the GroupWise snap-ins, verify that the GroupWise account is 
deleted from the post office. 
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WARNING: If you create eDirectory users with ConsoleOne, be sure to use a ConsoleOne without the 
GroupWise snap-ins installed. The ConsoleOne snap-ins for GroupWise follows the driver and removes some 
vital data from eDirectory. This has been fixed in the snap-ins released with GroupWise 6.5. 


Migrating eDirectory Users to GroupWise 


Under most circumstances, eDirectory and GroupWise already contain information prior to the 
installation of Identity Manager. The Migrate function in Identity Manager lets you select the users 
in eDirectory, then perform a migration to GroupWise. You can use the migration function to 
establish the initial association between eDirectory and the GroupWise driver. The driver does not 
work properly unless you do this. You should also complete a migrate operation if the driver or 
driver set name changes. 


This migration option in Novell ¡Manager lets you select individual users to migrate from 
eDirectory into GroupWise. The DirXML engine applies all Matching, Placement, and Creation 
policies and the filter to the objects that you choose to migrate. 


To migrate eDirectory users to GroupWise: 
1 In Novell iManager, click DirXML Management > Overview. 
2 Browse to the driver object to which you will be migrating data. 
3 Click Migrate from eDirectory. 
4 Click Add > select the container or user objects you want to migrate. 


5 Click OK. 


When using this functionality, take into consideration any global configuration setting that 
controls whether or not GroupWise accounts are created for selected users who don't already have 
an account. 


Additional Considerations 


This section contains information to help you as you use the DirXML Driver for GroupWise. 
+ “Disabling the Driver” on page 26 
+ “Partition Issues” on page 27 
+ “Driver Access Rights and Membership” on page 27 
+ “Managing Distribution Lists from the GroupWise Snap-ins” on page 27 
+ “Synchronizing Group Objects” on page 27 
+ “Removing a GroupWise Account Using the GroupWise Snap-Ins” on page 27 
+ “Re-associating a GroupWise Account with an eDirectory User” on page 28 
+ “User Renames” on page 28 
+ “Migrate from eDirectory” on page 28 


+ “Deleting Users and Accounts Using the GroupWise Snap-Ins” on page 28 


Disabling the Driver 


It is important not to disable the driver. When a driver is disabled, eDirectory events are not 
cached. 
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Partition Issues 


+ The driver can only access eDirectory objects in the partitions on the server where the driver 
is installed. 


+ Users, post offices, resources, and distribution lists must be in the same partition. (Or, the 
partitions containing these objects must all have replicas on the server running the driver.) 


Driver Access Rights and Membership 


The driver must have read/write access to User objects, post offices, resources, and distribution 
lists, and create rights to the post office container in eDirectory. Normally, the driver should be 
given security equal to Admin. 


If you are creating external post offices, the driver also needs read/write access to the domain. 


Managing Distribution Lists from the GroupWise Snap-ins 


The driver does not manage distribution lists directly and is not aware of the changes to 
distribution lists. Distribution lists must be managed by the GroupWise snap-ins. Through the user 
object, any user event can be modified to add or remove the user to or from specific distribution 
lists. You can also remove the user from all distribution lists. 


Synchronizing Group Objects 


If the option to synchronize Groups (creating, deleting, renaming, or making membership 
changes) is enabled, the driver creates a Distribution List in GroupWise when the user creates a 
Group in eDirectory and then links the two together. If the Group is renamed, the description 
modified, or users are added or removed to or from the Group, the driver synchronizes the changes 
with the Distribution List in GroupWise. This corresponds to similar functionality in the 
GroupWise snap-ins for ConsoleOne®. 


The default Placement policy adds the Distribution Lists to the post office specified when the 
driver is created. If you want the Distributions Lists to be added to a different post office, or various 
post offices depending on some criteria, you need to change the placement policy. See “Specifying 
Distribution Lists” on page 33 for more information. 


By default, this occurs for all Groups created in eDirectory. You should add rules to the Create 
policy to limit what Groups (by containment or attribute value) get processed by the driver. 


Group Wise Distribution List objects in eDirectory are not treated this way by the driver. The driver 
does not respond to changes made to Group Wise distribution lists, because the only way to create, 
delete, or modify these objects is using the GroupWise snap-ins (and the snap-ins do the 
synchronization). However, you can add or remove users to or from the GroupWise distribution 
lists by modifying events on individual users. 


Removing a GroupWise Account Using the GroupWise Snap-Ins 


Use the steps in this section if it is necessary to remove the Group Wise account using the 
Group Wise snap-ins. 


1 Do one of the following: 
+ Ifa DirXML association exists, change the state to Disabled. 
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When the user has a DirXML association to the driver with the state set to Disabled, and 
an attribute is changed in eDirectory, DirXML disregards the modify request. 


+ Ifa DirXML association does not exist, manually create one, set the associated object ID 
to any value, then set the state to Disabled. 


When the user does not have a DirXML association and an attribute is changed on the 
eDirectory user, the GroupWise account is re-created. When a user has a DirXML 
association to the driver with the state set to Disabled, and an attribute is changed in 
eDirectory, DirXML discards the modify request. 


2 Delete the GroupWise account. 
3 To re-create the GroupWise account, delete the association. 


4 Change an eDirectory attribute on the user that the driver watches for modifications or 
Resync. 


Re-associating a GroupWise Account with an eDirectory User 


User Renames 


Administrators sometimes delete the value of the GroupWise ID attribute (disassociate) from an 
eDirectory user and then re-associate (graft) it. This action resets the relationship between an 
eDirectory user and a GroupWise account. This action only involves the GroupWise snap-ins and 
does not involve the driver. Care should be taken when using this procedure. Changes made to the 
eDirectory user between the time the GroupWise ID is deleted and the user is re-associated are not 
synchronized to GroupWise. This is not a recommended procedure. Refer to the GroupWise 
Documentation for known issues and precautions. 


Using the GroupWise snap-ins to rename users is not recommended. However, if the user is 
renamed using the GroupWise snap-ins, 1t must done with GroupWise 6 Support Pack 1 or higher. 
Otherwise, the driver could generate errors. 


Migrate from eDirectory 


For more information, refer to “Migrating eDirectory Users to GroupWise” on page 26. 


Deleting Users and Accounts Using the GroupWise Snap-Ins 


You can delete an eDirectory User and the corresponding GroupWise account with the GroupWise 
snap-ins. The recommended procedure is to remove the user from the authoritative data source and 
let the driver remove the account from GroupWise. The eDirectory user must have a valid 
DirXML association to the driver for this to work. The driver might log a warning or error if the 
account is deleted using the Group Wise snap-ins. The object might have already been removed by 
the GroupWise snap-ins when the driver tries to delete it. 
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Using Policies and Filters 


This section explains how to use and modify policies and filters to synchronize data between 
Novell? eDirectory™ and GroupWise? according to your specific business rules. 


Using Policies 


The DirXML? Driver for GroupWise synchronizes data and events from eDirectory through a 
series of policies. Policies help Identity Manager make decisions as the documents traverse a 
channel. A policy might determine that a document needs to be transformed in some way before 
continuing to the destination. For example, a Create policy specifies that a User object must have 
a value for the CN attribute, so any attempt to create a User object without a CN value is not 
allowed by that policy. 


The policies in this chapter are examples of the many possible solutions for your company’s 
business rules. The code segments show simple and partial solutions and do not cover all situations 
and conditions. In addition, the code segments only process the attributes of interest and do not 
handle other attributes. 


Default Driver Actions 


The driver performs several actions by default: 


+ The user's eDirectory Common Name (CN) is used as the GroupWise MailboxID when a 
Group Wise account is created. 


+ The driver configuration uses a single post office. All accounts are created in a single post 
office. 


Modifying Default Settings in Policies and the Filter 


You set defaults for policies and filters when you import the driver configuration. If you want to 
change the default behavior of the driver, we recommend that you make modifications in this 
order: 


1. Modify the driver filter to include additional attributes to be synchronized. See “Modifying 
the Driver Filter” on page 30 for more information. 


2. Modify the Schema Mapping policy to include all attributes to be synchronized. See “Adding 
Entries to the Schema Mapping Policy” on page 30 for more information. 


3. Modify the Subscriber Create policy. See “Modifying the Create Policy” on page 30 for more 
information. 


4. Modify the Placement policy. See “Modifying Policies” on page 31 
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Modifying the Driver Filter 


The driver filter contains the eDirectory classes and attributes for the Publisher and Subscriber 
channels. The purpose of the filter is to define how attributes are shared between systems. All 
attributes in the driver filter are required for processing, so you should not remove attributes from 
the filter. 


You can, however, make additions to the filter. If you add classes or attributes to the filter, you 
should append the “merge-authority” string to the added attribute in the Mapping policy. 


For example: 


<filter-attr attr-name="Description" merge-authority="edir" 
publisher="ignore" subscriber="sync"/> 


Adding Entries to the Schema Mapping Policy 


The Schema Mapping policy is contained in the driver object and applies to both the Subscriber 
and Publisher channel. The purpose of the Schema Mapping policy is to map schema names 
(particularly attribute names and class names) between the eDirectory namespace and the 
GroupWise namespace. Do not modify or remove existing entries in the Schema Mapping policy. 
You can, however, add entries to the Schema Mapping policy. 


Modifying the Create Policy 


You modify the Create policy to implement your specific business rules. The Create policy 
determines whether or not a GroupWise account is created. A Create policy also can perform other 
modifications to the <add> event, such as providing default values for attributes. 


In the driver configuration, the Create policy specifies two required attributes: CN and Surname. 


The policy is controlled by a global configuration value (GCV) that sets the initial password to 
<surname>-<CN>. For more information on GCVs, refer to “Understanding Global Configuration 
Values” on page 30. 


Modifying the Placement Policy 


Matching policies define the minimum criteria that two objects must meet to be considered the 
same. 


Understanding Global Configuration Values 
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Global configuration values (GCVs) are new settings that are similar to driver parameters. Global 
configuration values can be specified for a driver set as well as an individual driver. Ifa driver does 
not have a GCV value, the driver inherits the value for that GCV from the driver set. 


GCVs allow you to specify settings for new Identity Manager features such as password 
synchronization and driver heartbeat, as well as settings that are specific to the GroupWise driver. 
For more information, refer to “Using Global Configuration Values” in the Novell Nsure Identity 
Manager 2 Administration Guide. 
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Modifying Policies 
You can modify the existing driver policies to perform additional functionality. 
+ “Specifying the GroupWise Post Office” on page 31 
+ “Specifying Distribution Lists” on page 33 


+ “Removing a User from a Distribution List when He or She is No Longer a Manager” on 
page 36 


+ “Removing a User from All Distribution Lists” on page 37 

+ “Setting Defaults for GroupWise Attributes” on page 37 

+ "Configuring the GroupWise UserID” on page 38 

+ “Creating Mappings for Additional Attributes” on page 38 

+ “Getting a Record Count from a Query” on page 39 

+ “Deleting the GroupWise User without Deleting the eDirectory User” on page 39 
+ “Creating a GroupWise Nickname” on page 39 

+ “Creating a GroupWise Nickname Record” on page 40 

+ “Specifying a New Resource Owner on an Owner Delete” on page 41 

+ “Specifying a New Resource Owner on an Owner Disable or Expire” on page 41 
+ "Controlling Creation of GroupWise Accounts” on page 42 

+ “Moving Users from One Post Office to Another Post Office” on page 43 
+ “Adding Additional Attributes to Be Synchronized” on page 43 

+ “Renaming Users” on page 44 

+ “Creating a Gateway Alias” on page 45 

+ "Querying for a Nickname” on page 45 

+ "Querying for a Gateway Alias” on page 47 

+ “Querying for Internet EMail Address” on page 48 

+ “Synchronizing External Users” on page 48 

+ “Specifying an External Post Office in an Add Event” on page 49 

+ “Creating External Post Offices” on page 50 


+ “Specifying a Non-GroupWise Domain in an Add Event” on page 50 


Specifying the GroupWise Post Office 


By default, the GroupWise Subscriber Placement rule puts all new users in the same post office. 
The Placement policy can also determine the post office based on an attribute value or the 
eDirectory user container. 


The following example, created in Policy Builder, specifies the post office based on the eDirectory 
container where the user was created. 
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Rule Builder E 


Ø Description: 


Users in sales container are placed in post office 01 


Conditions 
Select condition structure: 
O OR Conditions, AND Groups 


G) AND Conditions, OR Groups 


_Append Condition Group | * Required 


[2 Condition Group 1 53 ES [A] 


el classname va Ala 


case insensitive 


vr $+q4+—& 
E aná ie coucen A 


in container 


Novell\GroupWise\Sales Cuña 


Actions 
Action List 


IG] Do set operation destination DN va SER] 


DNS | "Novell\Group¥Vise\PO1" Ball 
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The following graphic shows the policies needed to place users in the Sales container into PO1 and 
users in the Engineering container into PO2. 


DirXML Policy: S Placement Policies 


DirXML 
DirXML Policy | Edit XML | Usage 


Policy rules describe a policy that is implemented by an ordered set of rules, A rule consists of a set of 
conditions to be tested and an ordered set of actions to be performed when the conditions are met. 


New Rule.) Remove | SaveAs...| _ t.. | _ Edit Na 


6 Policy Rules 
[JE Users in sales container are placed in post office 01 = 


@ set operation destination DNidn("NovelliGroupWise1P01")) 
© break!) 


[JE Users in Engr container are placed in post office 02 


@ set operation destination DNidn("NovelliGroupWise1P02")) 
€ breakí) 


Specifying Distribution Lists 


You can automatically add new GroupWise accounts to a distribution list when they are created. 
Distribution lists are used by organizations to assure that the appropriate individuals are included 
in various internal communications. Wherever possible, organizations want to automatically assign 
new employees to these distribution lists so that they can immediately participate in the 
communications that are relevant to them. 


Using a Subscriber Create policy, when an eDirectory user is created, the GroupWise account can 
be added to a distribution list based on the eDirectory container. When a user is created in the Sales 
container, the user is added to the Sales Distribution List. When a user is created in the Engineering 
container, the user is added to the Engineering Distribution List. 


The policies in this section, created using Policy Builder, show how to configure the following 
actions: 


+ “Creating a New User as a Member of a Distribution List Based on the User's eDirectory 
Container” on page 34 


+ “Adding a User to a Distribution List when He or She Becomes a Manager” on page 35 


+ “Removing a User from a Distribution List when He or She is No Longer a Manager” on 
page 36 
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+ “Removing a User from All Distribution Lists” on page 37 


Using Policy Builder, you can use these examples to create similar policies and Distribution Lists 
for your business rules and environment. 


Creating a New User as a Member of a Distribution List Based on the User's eDirectory 
Container 


Description: 


Users in Engr container are placed in the EngrDU distribution list | 


Conditions 
Select condition structure: 


O OR Conditions, AND Groups 
© AND Conditions, OR Groups 


nd Condition Group * Required 


[A Condition Group 1 3 EE [A] 


[a 


case insensitive {v 
User a 


in container vi 


NovelliGroupWiselEngr E 


Actions 
Action List 


Do | set destination attribute value vg FE 
Enter attribute names” Distribution List DN a 


Enter class name: |User 


Select mode: | add to current operation Si 


Select object: | Current object 


Enter DN:*|"Novell\Group¥Vise\EngrDL" El 


obre “BeA BEF 
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Adding a User to a Distribution List when He or She Becomes a Manager 


Ø Description: 


Add a user to the MgrDL distribution list when made a manager 


Conditions 
Select condition structure: 


O OR Conditions, AND Groups 
© AND Conditions, OR Groups 


nd * Required 


[2 Condition Group 1 på EE [4] 


dg classname ea Fe 


equal 


case insensitive 


User 


operation attribute va SER 


isManager 


changing to 


Actions 


Action List 


Do | set destination attribute value — v [E] Rf Eg == 


Enter attribute name:* | Distribution List DN 


Enter class name: |User 


Select mode: | add to current operation v 


Select object: | Current object wi 
Enter DN*|"NovelliGroupWiseiMgrDL" El 
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Removing a User from a Distribution List when He or She is No Longer a Manager 


Rule Builder 


(D Description: 
Remove a user from all distribution lists 


Conditions 
Select condition structure: 


O OR Conditions, AND Groups 
® AND Conditions, OR Groups 


* Required 


[A Condition Group 1 òS EE [A] 


lt cass name) BIE 


case insensitive 


User 


Actions 


Do clear destination attribute value v å] FE] 
Enter attribute name:* Distribution List DN 


Enter class name: |User 


Select mode: | add to current operation 


ae 


E] 
Select object; | Current object v 
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Removing a User from All Distribution Lists 


Rule Builder | 


Ø Description: 


| Remove a user from all distribution lists | 


Conditions 
Select condition structure: 


O OR Conditions, AND Groups 
© AND Conditions, OR Groups 


* Required 


_Append Condition Group 
[A Condition Group 1 òS Ba [å] 
Elif classname aaa 

User RR 


Actions 


Do clear destination attribute value — v [Æ FE 


Enter attribute name:* ‘Distribution List DN [a] 


br 


Select mode: | add to current operation 


Select object: | Current object v| 


Setting Defaults for GroupWise Attributes 


Other attributes can be set in the Group Wise account using the Create policy. Some attributes must 
be set in both eDirectory and GroupWise. When the eDirectory user object contains a 
corresponding attribute, it must be set. It is important that attribute values are set in both eDirectory 
and Group Wise. If the attribute is only set in GroupWise, it could be overwritten with the value in 
eDirectory. You must customize the driver so that it updates values in eDirectory; the driver does 
not do this by default. 


The following example shows setting the Description attribute (Visibility is another common 
attribute) in eDirectory and GroupWise. The attribute write-back = “true” causes the attribute to 
also be written in eDirectory. 


<?xml version="1.0" encoding="UTF-8"?> 
<create-rules> 
<create-rule class-name="User" description="GroupWise Account Required Attributes"> 


<!-- Description attribute is given a default value in both eDirectory and in GroupWise 
=-> 
<required-attr attr-name="Description" write-back="true"> 
<value type="String"><! [CDATA[eDirectory User synchronized by GroupWise Driver]]></ 
value> 


</required-attr> 
</create-rule> 
</create-rules> 
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Configuring the GroupWise UserlD 


The CN attribute in eDirectory is used to name the GroupWise account. You must include this in 
the Create policy as a required attribute. The CN value from eDirectory can be ignored in the 
Subscriber Create policy and a CN based on other attributes can be generated. An example code 
segment from a Create policy is shown below. If you make modifications to this policy, the modify 
events coming from the engine also need to be modified. 


When an attribute used to construct the CN is modified, a GroupWise rename event should be 
generated via the policies. The UserID must be unique within a post office. If UserID is used to 
generate Internet EMail Address, it must be unique in the entire GroupWise system. The User ID 
contains 1 to 256 characters, and cannot contain the following characters: () @ .:,{}*". The 
UserID must be unique within its namespace (UserID shares the same namespace as nicknames, 
resources, and distribution lists.) Do not use a “mapi” (reserved ID) for this value. 


An Output Transformation or Event Transformation policy can monitor the attributes used to build 
the CN. Ifone of these attributes changes, a rename event should also be generated. Any attributes 
used here need to be added to the list of required attributes. In this case, rename events should still 
be forwarded to the driver with an empty <newname> element. See “Renaming Users” on page 44 
for more information. 


<!--CN is used to set the GroupWise UserID. 
Construct a new CN from Given Name. 
--> 


<xsl:template match="add-attr[@attr-name = 'CN']"> 
<!-- ignore the current CN and create a new one --> 
<add-attr attr-name="CN"> 
<value type="string"> 
<xsl:value-of select="../add-attr[Rkattr-name="'Given Name']/value"/> 
</value> 
</add-attr> 
</xsl:template> 


Creating Mappings for Additional Attributes 


You can synchronize any attribute that can be represented as a string in eDirectory with one of 
twenty GroupWise generic attributes (excluding octet strings and structured attributes). You 
specify the eDirectory attribute you want to map in the filter. In addition, the eDirectory and 
GroupWise attribute names must be connected in the Schema Mapping policy. 


The Schema Mapping rule code segment below connects the eDirectory attribute Location with 
the Group Wise attribute 55003. The twenty Group Wise attributes names are 50106 through 50115 
and 55002 through 55011. Address book labels can be assigned to these GroupWise attributes 
through the GroupWise snap-ins. You should configure the same mappings in GroupWise as you 
do in the driver mappings. 


<attr-name class-name="User"> 
<nds-name>Location</nds-name> 
<app-name>55003</app-name> 
</attr-name> 
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Getting a Record Count from a Query 
The following query, sent to the driver, will return the number of users in dom1.pol. 


<nds dtdversion="1.1" ndsversion="8.6"> 
<input> 
<query event-id="query-groupwise" scope="subtree"> 
<search-class class-name="User"/> 


<!-- Referenced Domain Name --> 
<search-attr attr-name="50035"> 

<value>doml</value> 
</search-attr> 


<!-- Referenced Post Office Name --> 
<search-attr attr-name="50062"> 
<value>pol</value> 


<search-attr> 


<!-- return Record Count--> 
<read-attr attr-name="Record Count"/> 
</query> 
</input> 
</nds> 


If you remove the post office search attr, it will return the number of users in dom1. If you remove 
the domain search attr, it will return the number of users in the system. This search can be altered 
to apply to other search criteria. 


Deleting the GroupWise User without Deleting the eDirectory User 


After deleting the user in GroupWise, the driver cleans up the GroupWise attributes in eDirectory. 
The result is the same as deleting the user with the GroupWise snap-ins and only selecting delete 
from GroupWise. 


You will need to change the match criteria to match the needs of your environment. 


<!-- delete the GroupWise user and clean up eDirectory when the eDirectory 
user has not been deleted > 
<xsl:template match="modify[@class-name='User' and modify-attr[@attr- 
name='50000']]"> 

<delete xmlns:gw="http://www.novell.com/dirxml/gwdriver" gw:original- 


event="modify"> 


<!-- copy event attributes and association --> 
<xsl:apply-templates sel ct="@* |association"/> 
</delete> 


</xsl:template> 


Creating a GroupWise Nickname 


Group Wise nicknames can be automatically created when an eDirectory User is renamed or when 
a Group Wise account is moved. This is controlled in iManager on the driver through the Global 
Configuration Value page. When you set this option to True, nicknames are automatically created 
when an eDirectory rename occurs or when a GroupWise account is moved. When you set this 
option to False, nicknames are not created. Nickname creation requires GroupWise 6 SP1 or 
higher agents to be running. 


You can override this option by adding code to the Output Transformation policy to specify 
whether a nickname should be created. 
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<!-- 


Override the "Create Nicknames" Driver Option 
=-> 


<xsl:template match="rename"> 
<xsl:copy> 
<!-- Create a GroupWise nickname. --> 
<xsl:attribute xmlns:gw="http://www.novell.com/dirxml/gwdriver" name="gw:create- 
nickname">true</xsl:attribute> 
<xsl:apply-templates s lect="@* |node()"/> 
</xsl:copy> 
</xsl:template> 


Creating a GroupWise Nickname Record 


The following examples show two ways to create a nickname record. The first specifies the post 
office in which the nickname is created in the <dest-dn> attribute (this implies the domain). The 
second example uses <add-attr> nodes to specify the domain and post office. 


The Nickname can contain | to 256 characters, and cannot contain the following characters: 
O@.:,{}*". It must be unique within its namespace (nicknames share the same namespace as users, 
resources, and distribution lists.) 


<add class-name="GroupWise Nickname" dest-—dn="Novell\dirxml\groupwise\xmlPO" event-id="0" > 
<!-- Domain of user this nickname refers to --> 
<add-attr attr-name="50068" > 
<value type="string">xmlDom</value> 
</add-attr> 
<!-- Post Office of user this nickname refers to --> 
<add-attr attr-name="50069" > 
<value type="string">xmlPO</value> 
</add-attr> 
<!-- user this nickname refers to --> 
<add-attr attr-name="50070" > 
<value type="string">Usernl</value> 
</add-attr> 


<!-- name of nickname record --> 
<add-attr attr-name="50073" > 
<value type="string">nn1</value> 
</add-attr> 
</add> 


OR 


<add class-name="GroupWise Nickname" event-id="0" > 

<!-- Domain of user this nickname refers to --> 
<add-attr attr-name="50068" > 

<value type="string">xmlDom</value> 
</add-attr> 
<!-- Post Office of user this nickname refers to > 
<add-attr attr-name="50069" > 

<value type="string">xmlPO</value> 
</add-attr> 
<!-- user this nickname refers to --> 
<add-attr attr-name="50070" > 

<value type="string">Usernl</value> 

</add-attr> 


<!-- Domain of nickname record --> 
<add-attr attr-name="50035" > 
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<value type="string">xmlDom</value> 


</add-attr> 
<!-- Post Office of nickname record --> 
<add-attr attr-name="50062" > 

<value type="string">xmlPO</value> 
</add-attr> 
<!-- name of nickname record --> 
<add-attr attr-name="50073" > 

<value type="string">nnl</value> 
</add-attr> 


</add> 


Specifying a New Resource Owner on an Owner Delete 


Ifthe owner of a resource (a conference room, for instance) is deleted, the driver automatically 
assigns that resource to another owner. You must designate a default user for all resource 

assignments. At the time the resource is assigned, if the driver detects no default user account, it 
creates the default user account and assigns the resource to that user. 


Through a policy, you can specify an override owner. Using the Output Transformation policy, the 
eDirectory User delete is selected. The special attribute, gw:resource-owner-dn, is used to notify 
the shim of the override resource owner. This special attribute is specified on the <delete> element. 
Resources are always reassigned on a delete. The new owner must already exist in GroupWise and 
be in the same post office as the user being deleted. If a failure occurs using the override owner, 
the resources are automatically assigned to the default user specified in the Driver Options. The 
XSLT code segment is: 


<! User Delet 


Reassigns GroupWise Resource 


On an eDirectory User delete specify the GroupWise Account 
to reassign the GW resources to. 


<xsl:template match="delete[fclass-name='User']"> 


<!-- copy 
<xsl:copy> 
<!-- 
<xsl 


xsl:attribute> 
<!-- 
<xsl 


the delete through --> 


Specify the override resource owner on the <delete> --> 


:attribute xmlns:gw="http://www.novell.com/dirxml/gwdriver" 


name="gw: resource-owner-—dn">\GWDRIVERTREE\novell\users\sales\ResourceOwner</ 


copy the rest of the stuff through --> 
apply-templates select="@*|node()"/> 


</xsl:copy> 


</xsl:template> 


Specifying a New Resource Owner on an Owner Disable or Expire 


If the owner of a resource (a conference room, for instance) is disabled or expired, you can 
configure the driver to automatically assign that resource to another owner (using GCVs.) In this 
process, you can designate a default user for all resource assignments. At the time a resource is 

being reassigned, if the driver detects no default user account, it creates a default user account and 
assigns it as the resource owner only if the Reassign Resource Ownership driver GCV is set to Yes. 


When an eDirectory User Login Disabled attribute is set, the Group Wise resources of the disabled 
or expired account can be assigned to another GroupWise account. Normally, the new owner is a 
default user specified in the Default Resource Owner UserID parameter. Through a style sheet, an 
override owner can be specified. Using the Output Transformation style sheet, the eDirectory User 
login disable is selected. The special attribute, gw:resource-owner-dn, is used to notify the shim 
of the override resource owner. This special attribute is specified in the <modify-attr> element. 
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The resources are assigned to the override owner even when the Reassign Resource Ownership 
GCV is set to No. The new owner must already exist in GroupWise and be in the same post office 
as the user being expired. Ifa failure occurs using the override owner, the resources are 
automatically assigned to the default user specified in the Driver Options. The XSLT code 
segments for disabling and expiring are: 


<!-- When a GroupWise Account is Disabled also specify the GroupWise Account to reassign the 
GW resouces to.--> 
<xsl:template match="modify-attr[ftattr-name='50058']"> 
<!-- When Login Disabled is true, reassign the resource --> 
<xsl:if test="add-value//value[.='true']"> 
<!-- copy the modify through --> 
<xsl:copy> 
<!-- Specify the override resource owner on the <modify-attr> --> 


<xsl:attribute xmlns:gw=http://www.novell.com/dirxml/gwdriver 
name="gw: resource-owner-—dn">\GWDRIVERTREE\novell\users\sales\ResourceOwner</xsl:attribute> 
<!-- copy the rest of the stuff through --> 
<xsl:apply-templates sel ct="@* | node () "/> 
</xsl:copy> 
</xsl:if> 
</xsl:template> 


<!-- User Expire to GroupWise Expire and Reassign GroupWise Resources 
When the eDirectory User Login Expiration Time attribute is modified, 
change the GroupWise Mailbox Expiration Time and 
specify the GroupWise Account to reassign the GroupWise resources to. 
=-> 
<xsl:template match="modify-attr[ftattr-name='Login Expiration Time']"> 
<!-- copy the modify through --> 
<xsl:copy> 
<!-- copy all attributes through except for the attr-nam > 
<!-- we'll construct the GroupWise attr-name below > 
<xsl:apply-templates select="@*[name(.) != 'attr-name']"/> 
<!-- now create the attr-name attribute with the GroupWise name --> 
<xsl:attribute name="attr-name">50138</xsl:attribute> 
<!-- Specify the override resource owner on the <modify-attr> --> 
<xsl:attribute name="qw:resource-owner-dn" 
xmlns:gw="http://www.novell.com/dirxml 
gwdriver">\GWDRIVERTREE\novell\users\sales\ResourceOwner</xsl:attribute> 
<!-- copy the rest of the stuff through, except for what we have already copied--> 
<xsl:apply-templates select="* | comment () | processing-instruction() | text()"/> 
</xsl:copy> 
</xsl:template> 


Controlling Creation of GroupWise Accounts 


There might be situations where an eDirectory user is created and you do not want to create a 
corresponding GroupWise account. In addition, not all eDirectory users initially have a 
Group Wise account. You can use the driver to control the creation of Group Wise accounts. 


The recommended way to control the creation of an account is to define whether a GroupWise 
account is to be created (true/false). For example, the createGroupWiseAccount attribute. 


The eDirectory schema must be extended to include the attribute createGroupWiseAccount. When 
the createGroupWiseAccount attribute is set to true, the GroupWise account is created. When the 
createGroupWiseAccount attribute is set to false, the Group Wise account is not created. Changing 
the value from false to true causes the GroupWise account to be created. 


42 DirXML Driver for GroupWise Implementation Guide 


The createGroupWiseAccount attribute must be added to the Create policy as a required attribute 
and also added to the Subscriber Filter. 


<!-- createGroupWiseAccount is used to control creation of the GroupWise Account --> 
<match-attr attr-name="createGroupWiseAccount"> 
<value><! [CDATA[true]]></value> 
</match-attr> 


Moving Users from One Post Office to Another Post Office 


When a style sheet is not configured to move Group Wise accounts, we recommend that you use 
the Group Wise 6 snap-ins (or higher) for user moves. If you use an older version of the GroupWise 
snap-ins, it can cause the driver to generate errors. 


When the Output Transformation style sheet is configured to move Group Wise accounts, we 
recommend that user moves be made in eDirectory and that the driver assign the object to a new 
post office in Group Wise. The XSLT code segment for the Output Transformation policy is shown 
below. The dest-dn attribute on the parent element specifies the new post office. 


<!—- 
On an eDirectory User Move add the GroupWise Post Office DN 
based on the User's new container 

=-> 

<xsl:template match="move[ftclass-name='User']"> 


<!-- copy the Move through --> 

<xsl:copy> 
<!-- copy the attributes from the <move> element --> 
<xsl:apply-templates select="@*"/> 
<association> 


<xsl:value-of select="association"/> 


</association> 
<parent> 
<xsl:attribute name="src-dn"> 
<xsl:value-of select="parent/ftsrc-dn"/> 
</xsl:attribute> 


<!-- Specify the post office DN based on the container --> 
<xsl:choose> 
<xsl:when test="parent/@src-dn = '\GWDRIVERTREE\Novell\Users\Sales'"> 


<xsl:attribute name="dest-dn"> 

\GWDRIVERTREE\Novell\GroupWise\Post Offices\Sales PO</xsl:attribute> 
</xsl:when> 
<xsl:when test="parent/fsrc-dn = '\GWDRIVERTR 
<xsl:attribute name="dest-dn"> 

\GWDRIVERTREE\Novell\GroupWise\Post Offices\Engineering PO</xsl:attribute> 

</xsl:when> 

</xsl:choose> 
</parent> 
</xsl:copy> 

</xsl:template 


T 


E\Novell\Users\Engineering'"> 


Adding Additional Attributes to Be Synchronized 


You can map up to twenty user eDirectory attributes to generic GroupWise attributes and display 
them in the address book. For these attributes, you use the ranges 50106-50115 or 55002-55011. 
You must first add these eDirectory attributes to the filter. Any attribute names you add to the filter 
must be added to the Schema Mapping policy. You must configure these attributes in the 

Group Wise snap-ins for these attributes to appear in the Group Wise address book. 
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Renaming Users 


We recommend that you rename users by changing the naming attribute in eDirectory and letting 
the driver rename the GroupWise account. When CN is the naming attribute (this is the default), 
no special style sheet coding is required for a rename process. However, the GroupWise 
MailboxID can be built from attributes other than CN. When one of these attributes is modified, 
the GroupWise account should also be renamed. The XSLT code segment is shown below. In this 
example, the eDirectory attribute Given Name is used to name the GroupWise account. When 
Given Name is modified, a GroupWise rename is generated. 


The second template below, <xsl:template match="rename[@class-name='User']">, handles the 
case where the eDirectory User object was renamed. In this case the <rename> command is passed 
through to the driver The empty <new-name/> element blocks the driver from renaming the 
GroupWise account. Even though the Group Wise account is not renamed, the rename event must 
pass to the driver. 


We do not recommend that you use the Group Wise snap-ins to do a rename. However, if the user 
is renamed using the Group Wise snap-ins, it must be done with Group Wise 6 SP1 or higher. If you 
use an older version of the GroupWise snap-ins, it can cause the driver to generate errors. 


Example 1 


<!-- When the attribute used to set CN changes, in this case Given Name, create an element 
<new-name> to rename the GroupWise Account 


--> 


<xsl:template match="modify[Qclass-name="User']"> 


<!-- Given Name is used the for GroupWise CN, when it changes do a rename --> 
<xsl:if test="modify-attr[tattr-name='50091']"> 
<!-- Copy the <modify> through so all changes get made --> 


<xsl:copy> 
<xsl:apply-templates select="@*|node()"/> 
</xsl:copy> 


<! generate a <rename> > 
<rename class-name="User"> 
<!-- copy the attributes from the <modify-attr> element to the <rename> element --> 
<xsl:apply-templates select="@*"/> 
<!-- The object was not renamed in eDir so use src-dn for src-dn and old-sre-dn --> 


<xsl:attribute name="o1d-src-dn"> 


<xsl:value-of select="fsrc-dn"/> 


</xsl:attribute> 

<!-- copy the children from the <modify> element to the <rename> element > 
<xsl:apply-templates select="node () "/> 

<new-name> 


<xsl:value-of select="modify-attr[Rtattr-name='50091']/add-value/value"/> 


</new-name> 


</rename> 


</xsl:if> 
</xsl:template> 


<!-- 


Example 2 


When the User object is renamed in eDirectory, the GroupWise account is not renamed since it 
is named by the Given Name attribute 


--> 


<xsl:template match="rename[fclass-name='User']"> 
<!-- Copy the rename through except new-nam > 


<xsl:copy> 


<xsl:apply-templates s lect="@*|nod () [name () != 'new-name']"/> 
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<!-- <new-name> does not change since the GW account is named by the Given Name 


attribute --> 
<new-name /> 
</xsl:copy> 
</xsl:template> 


Creating a Gateway Alias 


The following XSLT code segment shows how to create a gateway alias in the Output 


Transformation policy. Your code is responsible for generating the value of attributes 50140 and 


50077. 


<xsl:template match="add[@class-—name='User']"> 
<xsl:copy> 
<xsl:apply-templates select="@*"/> 
<add-attr attr-name="Gateway Alias"> 
<value type="structured"> 
<component name="50140"><! [CDATA[SMTP] ]></component> 
<component name="50077"><! [CDATA[UserOne@novell.com] ]> 
</component> 
</value> 
</add-attr> 
<xsl:apply-templates select="* comment () | processing-instruction () 
| text ()"/> 
</xsl:copy> 
</xsl:template> 


Querying for a Nickname 


The following Output Transformation policy shows how to query for the GroupWise 


Nickname.The search-attrs in this style sheet are optional. They are used to scope the search. When 
you specify a Post Office name (50069), you must also specify a Domain name (50068). More than 


one Nickname can be returned. 


For example, User2a is renamed to User2b, then renamed to User2c. There will be two Nickname 


records (User2a and User2b) which both reference User2c. 


This code sample queries the User of the current event for nicknames. You should use a different 


match criteria. 


<xsl:template match="modify[fclass-name='User']"> 
<xsl:copy> 
<xsl:apply-templates sel ct="@* | node () "/> 
</xsl:copy> 
<xsl:variable name="query"> 
<nds dtdversion="1.0" ndsversion="8.5"> 


<input> 
<query class-name="(fclass-namej)" event-id="query-groupwise" cope="entry"> 
<association> 
<xsl:value-of select="association"/> 
</association> 
<!-- User Domain Name --> 
<read-attr attr-name="50035"/> 
<!-- User Post Office Name --> 
<read-attr attr-name="50062"/> 
<!-- User Object Name --> 
<read-attr attr-name="50073"/> 
</query> 
</input> 
</nds> 
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</xsl:variable> 
<xsl:variable name="gw-data" select="query: query ($destQueryProcessor, $query)//instance"/> 
<xsl:variable name="query2"> 
<nds dtdversion="1.0" ndsversion="8.5"> 
<input> 


<query event-id="query-groupwise" scope="subtree"> 
<search-class class-name="GroupWise Nickname" /> 


<!-- Referenced Domain Name --> 
<search-attr attr-name="50068"> 
<value> 
<xsl:value-of select="S$gw-data//attr[@attr—-name='50035']/value"/> 
</value> 
</search-attr> 
<!-- Referenced Post Office Name --> 
<search-attr attr-name="50069"> 
<value> 
<xsl:value-of select="$gw-data//attr[@attr—-name='50062']/value"/> 
</value> 
</search-attr> 
<!-- Referenced Object Name --> 
<search-attr attr-name="50070"> 
<value> 
<xsl:value-of select="$gw-data//attr[@attr-name='50073']/value"/> 
</value> 
</search-attr> 
<!-- Domain Name of Nickname Record --> 
<read-attr attr-name="50035"/> 
<!-- Post Office Name of Nickname Record --> 
<read-attr attr-name="50062"/> 
<!-- Object Name of Nickname Record --> 
<read-attr attr-name="50073"/> 
</query> 
</input> 
</nds> 


</xsl:variable> 

<xsl:variable name="gw-nickname" select="query: query ($destQueryProcessor, Squery2)// 
instance"/> 
</xsl:template> 


Result 


<nds dtdversion="1.1" ndsversion="8.6"> 
<source> 
<product build="20020409 1220" instance="GroupWise ZDS Driver" version="1.0a Beta">DirXML 
Driver for GroupWise</product> 
<contact>Novell, Inc.</contact> 
</source> 
<output> 
<instance class-name="GroupWise Nickname" event-id="0"> 
<attr attr-name="50035"> 
<value type="string">TaoDom</value> 
</attr> 
<attr attr-name="50062"> 
<value type="string">TaoPO</value> 
</attr> 
<attr attr-name="50073"> 
<value type="string">User2b</value> 
</attr> 
</instance> 
<instance class-name="GroupWise Nickname" event-id="0"> 
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<attr attr-name="50035"> 
<value type="string">TaoDom</value> 
</attr> 
<attr attr-name="50062"> 
<value type="string">TaoPO</value> 
</attr> 
<attr attr-name="50073"> 
<value type="string">User2a</value> 
</attr> 
</instance> 
<status level="success"/> 
</output> 
</nds> 


Querying for a Gateway Alias 


The following XSLT code segment shows how to query in the Output Transformation policy for 
the gateway alias. 


<xsl:template match="modify[fclass-name='User']"> 

<xsl:copy> 

<xsl:apply-templates sel ct="@* | node () "/> 
</xsl:copy> 
<xsl:variable name="query"> 

<nds dtdversion="1.0" ndsversion="8.5"> 

<input> 
<query class-name="((class-name)" event-id="query-groupwise" scope="entry"> 
<association> 
<xsl:value-of select="association"/> 


</association> 
<read-attr attr-name="Gateway Alias"/> 
</query> 
</input> 
</nds> 
</xsl:variable> 
<xsl:variable name="gw-aliases" select="query:query ($destQueryProcessor, $query)// 
instance"/> </xsl:template> 
</xsl:template> 


Result 


<nds dtdversion="1.0" ndsversion="8.5"> 
<source> 
<product version="1.0 SP1 Beta, 20020307_1205">GroupWise ZDS Driver</product> 
<contact>Novell, Inc.</contact> 
</source> 
<output> 
<instance class-name="User" event-id="0" src-dn="TaoDom.TaoPO.Userl{106}DFD036A0—-0776- 
0000-A246-4100F0001300"> 
<association>TaoDom.TaoPO.Userl(106)DFD036A0-0776-0000-A246-4100F0001300<association> 
<attr attr-name="Gateway Alias"> 
<value type="structured"> 
<component name="50140">SMTP</component> 
<component name="50077">UserOne@novell.com</component> 
</value> 
</attr> 
</instance> 
<status level="success"/> 
</output> 
</nds> 
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Querying for Internet EMail Address 


The following XSLT code segment shows how to query in the Output Transformation policy for 
the Internet Email Address generated by GroupWise. 


<xsl:template match="modify[fclass-name='User']"> 
<xsl:copy> 
<xsl:apply-templates sel ct="@* | node () "/> 
</xsl:copy> 
<xsl:variable name="query"> 
<nds dtdversion="1.0" ndsversion="8.5"> 
<input> 
<query class-name="(Qclass-name)" event-id="query-groupwise" scope="entry"> 
<association> 
<xsl:value-of select="association"/> 
</association> 
<read-attr attr-name="Internet EMail Address"/> 
</query> 
</input> 
</nds> 
</xsl:variable> 
<xsl:variable name="inet-address" select="query: query ($destQueryProcessor, $query)// 
instance"/> 
</xsl:template> 


Results 


<nds dtdversion="1.1" ndsversion="8.6"> 
<source> 
<product build="20020502_1251" instance="GroupWise Driver" 
version="1.0a Beta">DirXML Driver for GroupWise</product> 
<contact>Novell, Inc.</contact> 
</source> 
<output> 
<instance class-name="User" event-id="0" 
src-dn="TaoDom.TaoPO.User2(106)5B8C40F0-0E79-0000-9ADA-350037009300"> 
<association>TaoDom.TaoPO.User2(106)5B8C40F0-0E79-0000-9ADA-350037009300</association> 
<attr attr-name="Internet EMail Address"> 
<value type="string">User2@domain.com</value> 
</attr> 
</instance> 
<status level="success"/> 
</output> 
</nds> 


Synchronizing External Users 


In your business, you might have several different e-mail applications. Although not all employees 
will have GroupWise e-mail accounts, you want the GroupWise address book to contain all 
employee information. The driver has the ability to create GroupWise external users, which 
enables the driver to obtain data from other e-mail systems (via eDirectory) and display it in the 
GroupWise address book. eDirectory users can be linked to GroupWise external users. 


If you are using multiple e-mail systems (GroupWise and NetMail/Notes/Exchange) you can 
create external users and external post offices to add the users in the non-GroupWise systems to 
the GroupWise address book. 


To synchronize data between external e-mail systems and GroupWise, your implementation must 
meet the following conditions: 
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+ External users must be assigned to or be created in an external post office. 


+ External post offices must belong to a non-GroupWise domain. 


The default driver configuration does not include this customization. To implement this 
functionality, you should make appropriate changes to your filters, rules, and style sheets based on 
your business processes. 


TIP: In the \nt\dirxml\drivers\groupwise\extensions directory of the software, you can find examples of how to 
implement this solution. These are samples only and not intended for production use; customization is 
required. If users are in a tree other than where the GroupWise users are, you can use the simple example. If 
the GroupWise and non-GroupWise users are in the same tree, use the merged example. 


Creating External Users 


There are two ways you can specify placement when creating external users: 


+ In the Placement rule, you can specify the DN of an eDirectory object associated with the 
external post office. For additional information, refer to “Creating External Post Offices” on 
page 50. 


+ Identify the external post office by “Specifying an External Post Office in an Add Event” on 
page 49. 


You must modify the Schema Mapping policy or Output Transformation policy so that it modifies 
the class name of the user based on some criterion, such as the parent container name. 


IMPORTANT: When creating accounts in eDirectory for a non-GroupWise user, the user's class name must 
become GroupWise External User before the driver receives the event. 


When a new GroupWise External User is added to GroupWise, the driver creates an association 
on the eDirectory user. If the non-GroupWise user's information changes in eDirectory, the driver 
synchronizes those changes to GroupWise. Ifthe association key is altered or deleted, the 
connection is broken, and the driver does not synchronize any changes made to the eDirectory user 
to GroupWise. 


Specifying an External Post Office in an Add Event 


If you do not use the driver to create an external post office, you need to generate the following 
information in the XML Add event. You must replace the external post office name and non- 
GroupWise domain values with names specific to your system. 


<!-- The external post office name to which the user belongs. --> 
<add-attr attr-name="50062"> 
<value type="string"><![CDATA[External post office name] ]></value> 
</add-attr> 


<!-- The non-GroupWise domain name to which the external post office belongs. 
--> 
<add-attr attr-name="50035"> 
<value type="string"><! [CDATA[Non-GroupWise domain name]></value> 
</add-attr> 


NOTE: If you include the additional XML in the Add event, the value in your Placement policy is overridden. 
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Creating External Post Offices 


There are two ways you can create external post offices: 


+ Let the driver create a GroupWise external post office and associate it to an eDirectory object, 
such as an Organizational Unit (recommended). 


+ Create an external post office through ConsoleOne®. 


If you want the driver to create an external post office, you should modify the Schema Mapping 
policy or Output Transformation policy so that it changes the class name to GroupWise External 
Post Office. 


NOTE: Before you can create an external post office, you must create a non-GroupWise domain in 
ConsoleOne. 


There are two ways you can specify placement when creating external post offices: 


+ In the Placement policy, you can specify the name of the non-GroupWise domain in which to 
create the external post office. 


+ Identify the non-GroupWise domain by generating XML code to specify the non-GroupWise 
domain. For additional information, refer to “Specifying a Non-Group Wise Domain in an Add 
Event” on page 50. 


Specifying a Non-GroupWise Domain in an Add Event 


You can generate the following information in the XML Add event. You must replace the non- 
GroupWise domain value with the name specific to your system. 


<!-- The non-GroupWise domain name to which the external post office belongs. 
--> 
<add-attr attr-name="50035"> 
<value type="string"><! [CDATA[Non-GroupWise domain name]></value> 
</add-attr> 


NOTE: If you include the additional XML in the Add event, the value in your Placement policy is overridden. 


If you associate the external post office with an Organizational Unit, you must also map the OU 
attribute to the CN attribute for the Organizational Unit class, and the driver will use that attribute 
value for the post office name. 


NOTE: The Schema Mapping policy has a mapping for the OU attribute on the User class. Do not change the 
User class mapping. 


When creating external users, you should use the DN of the Organizational Unit in the Placement 
policy. When an external post office is added, you should specify the GroupWise domain to which 
the external post office belongs: 


When you create an external post office with the driver, GroupWise uses the default time zone 
setting on the non-GroupWise domain. If you want to change the time zone setting for the post 
office, generate the following XML in the Add event. Insert the appropriate time zone value in 
place of "EST." 


<add-attr attr-name="50088" > 
<value type="string">EST</value> 
</add-attr> 
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Troubleshooting the DirXML Driver for 
GroupWise 


This section explains how to troubleshoot the DirXML® Driver for GroupWise®. 


Viewing Driver Errors in the DS Trace Screen 


For each event or operation received from the engine, the driver returns an XML document 
containing a status report in DS Trace. If the operation or event is not successful, the status report 
also contains a text message describing the error condition. 


The following table lists values for the status levels: 


Status Level Description 

Success Operation or event was successful. 

Warning Operation or event was partially successful. 

Error Operation or event failed. 

Fatal A fatal error occurred. The driver shuts down. 

Retry Application server was unavailable. Send this event or operation later. 
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Understanding Error Text Descriptions 


Error Reason Text 


Driver initialization 
error 

Failure initializing 
GroupWise 


The table below contains errors from the driver that display in the Trace screen.The Error Reason 
Text column in the table contains the error condition text returned to the DirXML engine in the 
Trace screen. The Level column in the table specifies the status level. The Description column 
describes the situations that might cause the condition and possible actions you can take to fix the 
problem. The status level and error condition text are recorded in the Driver log. 


Level 


Fatal 


Fatal 


Description Recommended Action 


On driver initialization, no parameters were provided. 


During initialization the driver cannot communicate with 
GroupWise. <text> can be one of the following: 


Error getting driver DN from src-dn attribute 


+ The src-dn attribute value in <init-params> did not 
have a value or the value was not recognized by the 
driver. 


Invalid GroupWise Primary Domain Path initialization 
parameter 


+ An invalid format was used to specify the domain path. 


Invalid “Admin User ID.” 


+ The value of this parameter cannot be “mapi”, which is 
a reserved ID. 


Missing domain path initialization parameter. 


+ The GroupWise primary domain path has not been 
specified in the Driver Parameters page in iManager. 


Missing “Admin User ID” initialization parameter 


+ The Admin User ID has not been specified in the 
Driver Parameters page in iManager. 


Invalid character in “Admin User ID.” 


+ An invalid character is used in the Admin User ID in the 
Driver Parameters page in iManager. 


The User ID contains 1 to 256 characters, and cannot 
contain the following characters: ()@.:,{}*". The 
UserID must be unique within its namespace (UserID 
shares the same namespace as nicknames, 
resources, and distribution lists.) Do not use “mapi” 
(reserved IDs) for this value. 


Various text messages. 


+ JNDI Naming exception, class not found exception, 
unsatisfied link error (can't load .dll), unable to 
determine initial context, or domain path not correct. 


Unable to make connection with remote server 
+ Missing or invalid authentication information. 


+ Incorrect setup of authentication accounts. 
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Error Reason Text 


GroupWise error 


Unsupported 
operation 


Event failed. The 
DirXML association 
for this driver has 
been removed. 


Move pending 


Prior modification 
pending 


Name already exists 
in GroupWise 


Event is for a 
different system. 


Event is for a 
different system. 


Error publishing to 
eDirectory. 


Level 


Error 


Error 


Error 


Retry 


Retry 


Error 


Warning 
(for 
event) 


Error (for 
query) 


Error 


Description 


+ Invalid post office specified. Either the post office 
does not exist or the driver does not have 
eDirectory access rights (read/write). 


+ The parent of an external post office must be an 
external domain. 


+ Invalid post office or domain specified. 
+ Query Scope Entry: No base object identified. 
+ Requested Query operation is not supported. 


+ Unsupported Class. The driver received an event 


for an object other than a Novell? eDirectory™ 
User object. 


+ No username specified. The CN attribute was not 
specified. 


+ java.lang.NullPointerException. The XML 
document is not correctly formed. It may be 
syntactically correct, but it doesn't make sense. 


The driver does not understand the XML event. 


The driver received an event for an object without an 
expected GroupWise ID. This is most likely caused when 
the GroupWise account is deleted through the 
GroupWise snap-ins. The driver has removed the DirXML 
association to the driver in eDirectory for this object. 


When GroupWise is in the process of moving an account 
from one post office to another, other operations cannot 
be performed on the account. 


Attempted to move a user to another post office, but 
previous modifications have not been processed. 


This can occur on an account create, rename, or post 
office move event. 


The received event is not for this GroupWise system and 
is ignored by the driver. There can be multiple GroupWise 
systems in a single eDirectory tree. An instance of the 
driver supports only a single GroupWise system. 


The received query is not for this GroupWise system and 
is ignored by the driver. There can be multiple GroupWise 
systems in a single eDirectory tree. An instance of the 
driver supports only a single GroupWise system. 


GroupWise tried to update attributes in eDirectory for an 
object. The error message is from DirXML or eDirectory. 


You might have a GroupWise object without a 
corresponding object in eDirectory. If the corresponding 
object does exist in eDirectory, the attribute values in 
eDirectory might not be correct. 
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Recommended Action 


Add a rule to allow only items for 


this GroupWise system. 


Add a rule to allow only items for 


this GroupWise system 
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Error Reason Text Level Description Recommended Action 
No commands to Error An input document without any commands was received. 
execute This is a probably a style sheet error, where the style 
sheet didn't pass any commands through. 
Query posted to Error This error is generated for the following conditions: 
publisher failed + The driver received a query for an object other than 
user. 
+ The object to be queried does not exist or cannot be 
read. 
Waiting for publisher Retry The Subscriber channel does not process events until the 
to start Publisher channel is initialized and running. The 
Subscriber channel can initialize before the Publisher 
channel. Normally both channels initialize within a short 
time. 
Invalid referenceto Warning This error occurred because there is an invalid reference 
GroupWise to GroupWise. This is OK if it occurred on a modify event 
that is generated by eDirectory in response to a move 
event. 
This could also occur if required data is missing, incorrect, 
invalid, or refers to the wrong type of object. In these 
cases, the error message includes specific information. 
Password Success The post office security is setto LDAP Authentication. 
synchronization was You cannot set the GroupWise password, which would be 
not processed ignored. 
Rename or Move Warning Rename or Move error: The operation might not be 
supported with this GroupWise domain version. 
An error most likely occurred processing a move or 
rename. Part of the event might have been processed. 
Most likely, this operation is not supported in the 
GroupWise domain version. Please upgrade the 
GroupWlse system. 
eDirectory Error Retry or This attempt to read from or write to eDirectory failed. See 
Error the error message and prior result from eDirectory for 
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more details. 
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eDirectory 
Class or 
Attribute 


NDS User 


Class and Attribute Descriptions 


The table in this section lists each Novell? eDirectory™ class and attribute used by the DirXML 
Driver for GroupWise®. The Secondary Effects column in the table contains information about 

how the attribute is used, special handling, conversions, and relationships of the attributes to other 
attributes. 


GroupWise Description 


Attribute 


50319 


50045 


59028 


50013 


50320 


Preferred Internet 
eMail ID 


Internet domain 
name 


LDAP 
authentication ID 
in typeful format 


Preferred Internet 
address format 


(numeric value) 


Disallowed 
Internet address 
formats 


(bit settings) 


Secondary Effects 


Example: JohnDoe 
“mapi” is not allowed because it is reserved. 


This ID must be unique in the entire GroupWise system. It contains 1 to 256 
characters, and cannot contain the following characters: ()@.:,{}*”. The 
ID must be unique within its namespace (UserlD, nicknames, resources, and 
distribution lists share the same namespace.) 


Example: MyDomain.com 


Example: cn=admin, o=novell 


0 - Full (Name. PostOffice.DomainQIDomain.com) 

1 - Host and User ID (Name. PostOffice(QIDomain.com) 
2 - User ID (NameQIDomain.com) 

3 - Lastname.firstname 

4 - Firstname.lastname 

5 - No setting (reserved) 

6 - First initial and last name 


0 - None 

1 - Full 

2 - Host 

4 - User ID 

8 - Lastname.Firstname 

16 - Firstname.Lastname 

32 - First initial and last name 


You should not set this attribute value to bit one. It is an illegal operation to 
disallow the Full format. 


You can “or” values together. For instance, to allow only full name (but disallow 
all but full name) you would use a value of 62 (0x3E). 
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eDirectory 
Class or 
Attribute 


CN 


Given Name 


Surname 


Title 
OU 
Telephone 


Number 


Facsimile 
Telephone 
Number 


Description 


company 


Initials 


Generational 


Qualifier 


personalTitle 
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GroupWise Description 


Attribute 


50157 


None 


50091 


50093 


50096 


50089 


50095 


50145 


50032 


55022 


50310 for 
GW 6.5 
or later 


55019 


50322 for 
GW 6.5 
or later 


55020 


50323 for 
GW 6.5 
or later 


55021 


50324 for 
GW 6.5 
or later 


Exclusive use of 
Internet domain 
name 


Common Name 
of a User object. 


User's first name 


User's last name 


User's title 


User's 
department 


User's telephone 
number 


User's facsimile 
telephone 
number 


Provides 
additional 
information. 


User's company. 


Middle initials, up 
to 8 characters. 


Jr., Ill, and so 
forth, up to 8 
characters. 


Dr., Mr., Ms., and 
so forth, up to 8 
characters. 


Secondary Effects 


0 = Off (requires setting an Internet domain name--50045) 
1 = On (only recognizes the domain name set in Internet domain name--50045) 


When a GroupWise account is created or renamed, this value is used to name 
the GroupWise account and to set NGW: Object ID. For all other operations, 
this value is ignored. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 
the note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. This 
attribute is only used on the Publisher channel when creating a default user for 
resource reassignment. See the note at the end of this table for additional 
information about this attribute. 


Synchronizes from eDirectory to GroupWise create and modify events. See the 
note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise create and modify events. See the 
note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 
the note at the end of this table for additional information about this attribute. 


Only synchronizes the telephone number portion from eDirectory to 
GroupWise on create and modify events. See the note at the end of this table 
for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 


the note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 
the note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 
the note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 
the note at the end of this table for additional information about this attribute. 


Synchronizes from eDirectory to GroupWise on create and modify events. See 
the note at the end of this table for additional information about this attribute. 
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eDirectory 
Class or 
Attribute 


NGW: Object 
ID 


NGW: 
Account ID 


NGW: 
Gateway 
Access 


NGW: 
Mailbox 
Expiration 
Time 


Login 
Disabled 


Login 
Expiration 
Time 


NGW: File ID 


GroupWise Description 


Attribute 


50073 


50116 


59001 


50138 


50058 


None 


50038 


GW mailbox 
name. The name 
must be unique 
within a post 
office. The name 
contains 1 to 256 
characters, and 
can not contain 
the following 
characters: 


00.0. 


Optional field for 
accounting. lt can 
contain a cost 
account used for 
posting charges 
to this user. 


A Boolean value 
that indicates 
whether 
eDirectory login 
(authentication) is 
allowed. 


Date and time 
when 
authentication 
rights expire. 


Three characters 
used to name 
system files for 
the user. The 
value must be 
unique within a 
post office. This 
value is set by 
GroupWise. 


Secondary Effects 


This attribute takes its value from the CN attribute. The shim writes it via the 
Publisher channel to eDirectory. It is set when an account is created and 
modified, and when an account is renamed. Modifying this value might cause 
the following attributes to be modified: 


+ Email Address 
+ Internet Email Address 
+ NGW: GroupWise ID 


+ DirXML association key 


This attribute should not be modified except as the result of a rename. 


When an account is created, the shim queries GroupWise for this value and 
writes it via the Publisher channel to eDirectory. Normally the driver does not 
set this value. However, this attribute can be set through the Create rule or 
Create style sheet. See the note at the end of this table for additional 
information about this attribute. 


When an account is created, the shim queries GroupWise for this value and 
writes it via the Publisher channel to eDirectory. Normally the driver does not 
set this value. However, this attribute can be set through the Create rule or 
style sheet. See the note at the end of this table for additional information. 


When an account is created, the shim queries GroupWise for this value and 
writes it via the Publisher channel to eDirectory. This attribute can be set 
through the Create rule or style sheet. For example, the default Output 
Transformation style sheet uses the eDirectory login expiration time to set this 
value. 


Synchronizes from eDirectory to GroupWise on create and modify events. The 
shim converts true to 1 and false to 0. Setting the GroupWise 50058 attributes 
to 1 disables the GroupWise account. See the note at the end of this table for 
additional information. 


This eDirectory attribute has no corresponding GroupWise attribute. The value 
of this attribute is used to set the eDirectory attribute NGW: Mailbox Expiration 
Time and the GW attribute 50138, which are connected through the Schema 
Mapping rule. 


This attribute is set in GroupWise by GroupWise when an account is created. 
The shim queries GroupWise for this value and writes it via the Publisher 
channel to eDirectory. A move operation could cause this attribute to change. 
This attribute should not be modified in any style sheet. 
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eDirectory 
Class or 
Attribute 


NGW: 
GroupWise 
ID 


NGW: 
Visibility 


Email 
Address 


InternetEmail 
Address 


NGW: Post 
Office 


Any User 
attribute 
whose value 
can be 
represented 
as a string. 


GroupWise 
Post Office 
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GroupWise Description 


Attribute 


None 


50076 


None 


None 


None 


50106 to 
50115, 
55002 to 
55011 


Uniquely 
identifies an 
object in 
GroupWise. This 
value is used for 
the DirXML 
association. 


Visibility is used 
to specify the 
databases into 
which an object 
should be 
replicated. 
Controls whether 
objects appear in 


the address book. 


DN of the Post 
Office object. 


Up to 20 
eDirectory user 
attributes can be 
mapped to 
generic 
GroupWise 
attributes and 
displayed in the 
address book. 


Secondary Effects 


When an account is created or modified, the shim queries GroupWise for this 
value and writes it via the Publisher channel to eDirectory. A GroupWise move 
operation or a rename causes this attribute to change. On any modify 
operation, the shim reads this value through the GroupWise API ana, if it has 
changed, writes it to eDirectory through the Publisher channel. The shim also 
changes the DirXML association value. 


This attribute only comes through the Subscriber channel when the GroupWise 
snap-ins change this value. The shim then changes the DirXML association 
key. 


This value, not the association key, is used to read the GroupWise object. If the 
association key does not match this attribute value, the association key is 
updated. This is because the GroupWise snap-ins can change this attribute 
and the GroupWise snap-ins do not update the association key. 


On all events, except delete, the shim queries eDirectory for this value. If the 
value does not exist, the event is discarded. 


If the shim cannot read the GroupWise object using this value, an error is 
returned to DirXML. This is a rare occurrence. 


This attribute is set in GroupWise by GroupWise when an account is created. 
The shim queries GroupWise for this value and writes it via the Publisher 
channel to eDirectory. Normally the driver does not set this value. However, 
this attribute can be set through the Create rule or style sheet. To set, add code 
to the Create rule. Use "2" for global visibility, or "4" for no visibility. See the 
note at the end of this table for additional information about this attribute. 


This attribute is generated by GroupWise on create, rename, or move 
operations. The shim queries GroupWise for this value and writes it via the 
Publisher channel to eDirectory. 


This attribute is generated by GroupWise on a create or rename operation, or 
when any attributes used to generate Internet Email Address are modified. The 
shim queries GroupWise for this value and writes it via the Publisher channel 
to eDirectory. 


The driver writes this on create and move operations. 


The eDirectory attribute names must be added to the filter. The eDirectory and 
GroupWise attribute names must be added to the Schema Mapping rule. 


NOTE: For these attributes to appear in the address book, GroupWise must 


be configured through ConsoleOne®. See the note at the end of this table for 
additional information about this attribute. 
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eDirectory GroupWise Description Secondary Effects 
Class or Attribute 
Attribute 
Member None On a user create, the shim writes the eDirectory DN of the user to this attribute 
using the Publisher channel. On a post office move, the shim deletes the user 
DN from the old post office and writes the user DN to the new post office. 
GroupWise 
Resource 
NGW: Owner 50081 The user (NGW: The shim writes this value to GroupWise and to eDirectory via the Publisher 
Object ID) that channel. The value is provided by a style sheet or driver option. See the note 
owns the at the end of this table for additional information about this attribute. 
resource. An 
owner is identified 
by its Object 
Name. 
GroupWise 
Distribution 
List 
Member None On eDirectory user create or modify operations, a set of Distribution Lists can 
be specified. The user can only be added as a Member. The shim fills in this 
attribute through the Publisher channel. On a modify event, a user can be 
removed from a specified Distribution List (member, BC or CC) or from all 
distribution lists (member, BC or CC). The shim will remove the user from the 
appropriate distribution list. 
NGW: Blind None The driver cannot set this attribute. This attribute is populated only via the 
Copy GroupWise snap-in. 
Member 
NGW: None The driver cannot set this attribute. This attribute is populated only via the 
Carbon Copy GroupWise snap-in. 
Member 
IMPORTANT: When the Visibility GroupWise attribute is explicitly changed by a style sheet, the 
corresponding eDirectory attribute must also be updated by the style sheet. Otherwise, the eDirectory User 
and the GroupWise account are not properly synchronized. 
For this attribute, eDirectory is considered the authoritative data source. When the attributes are not 
synchronized, it is possible that the old value in eDirectory could be used to incorrectly update the correct value 
in the GroupWise account. Updating the corresponding attribute in eDirectory can prevent this. In the example 
XSLT code segment below, when an eDirectory User is disabled, the GroupWise account is disabled and the 
visibility attribute is set to "4." This prevents the account from appearing in the address book. The visibility 
attribute (50076) is set in GroupWise, together with the disable. The visibility attribute (NGW: Visibility) is set 
in eDirectory using the channel write-back DirXML functionality. 
<!-- User Disable, Remove Address Book Visibility 


When a GroupWise Account is Disabled 

remove the account from the address book visibility. 
Keep eDirectory and GroupWise object synchronized by 
updating the attributes in both systems. 


=-> 
<xsl:template match="modify-attr[ftattr-name='50058']"> 
<!-- When Login Disabled is true --> 
<xsl:if test="add-value//value[.='true']"> 
<!-- Update the visibility attribute in GroupWise --> 
<!-- Copy the <modify> through to update GroupWise --> 
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<xsl:copy> 

<!-- copy everything through --> 

<xsl:apply-templates sel ct="@* | node () "/> 
</xsl:copy> 
<!-- Set the GroupWise visibility attribute (50076) to "4" 
so the account does not show in the address book --> 
<modify-attr attr-name="50076"> 

<remove-all-values/> 

<add-value> 

<value type="int">4</value> 

</add-value> 
</modify-attr> 
<!-- Update the visibility attribute in eDirectory > 
<!-- Send a command to modify "NGW: Visibility" in the eDirectory User object --> 


<xsl:variable name="command"> 
<modify class-name="User"> 


<!-- dest-dn and dest-entry-id identify the User object in eDirectory --> 
<xsl:attribute name="dest-dn"> 

<xsl:value-of select="../fsrc-dn"/> 
</xsl:attribute> 


<xsl:attribute name="dest-entry-id"> 
<xsl:value-of select="../fsrc-entry-id"/> 
</xsl:attribute> 
<!-- Set NGW: Visibility (50076) in eDirectory to "4" --> 
<modify-attr attr-name="NGW: Visibility"> 
<remove-all-values/> 
<add-value> 
<value type="int">4</value> 
</add-value> 
</modify-attr> 
</modi fy> 
</xsl:variable> 
<xsl:variable name="result" select="cmd:execute ($srccommandProcessor, S$command)"/> 
</xsl:if> 
</xsl:template> 
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Upgrading from the 1.0a Version of the Driver 


Use the steps in this section to upgrade the DirXML® Driver 1.0a for GroupWise®, which released 
with DirXML 1.1a. 


After you upgrade the driver, you must obtain a new activation credential for the DirXML Driver 
2.0 for Group Wise. If you do not complete the activation process within 90 days, the upgraded 
driver does not run. For additional information, refer to “Activating the Driver” on page 24. 


To upgrade to version 2.0: 
4 In Novell® iManager, click eDirectory Administration > Modify Object. 
2 Specify the driver object’s name, then click OK. 
3 Scroll down to the Startup Option section, click Manual, then click OK. 
4 Shut down eDirectory™ or the Remote Loader. 
5 Run the DirXML Driver 2.0 for GroupWise installation program. 


You install the driver over the existing 1.0a driver files. This step updates all necessary driver 
files. 


Start eDirectory or the Remote Loader, then open Novell iManager. 
In Novell iManager, click eDirectory Administration > Modify Object. 
Specify the driver object’s name, then click OK. 


oon 0 


Click the Driver Configuration tab > Authentication context. 
10 Do one of the following: 


+ Ifthe driver is installed on Windows and the GroupWise domain database is on 
NetWare®, provide the eDirectory context of the specified Authentication ID. Otherwise, 
you should leave this field blank. 


+ Ifthe driver is installed on NetWare, you should leave the eDirectory context of the 
specified Authentication blank. 


11 In Novell iManager, add the following attributes to the User Class in the Subscriber channel 
filter: 


* company 
+ Generational Qualifier 
+ Initials 
+  personalTitle 
12 Add the following definitions to the Schema Mapping rule. 
If you are using GroupWise 5.5 or 6.0: 
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<attr-name class-name="User"> 
<nds-name>company</nds-name> 
<app-name>55022</app-name> 

</attr-name> 

<attr-name class-name="User"> 
<nds-name>Initials</nds-name> 
<app-name>55019</app-name> 

</attr-name> 

<attr-name class-name="User"> 
<nds-name>Generational Qualifier</nds-name> 
<app-name>55020</app-name> 

</attr-name> 

<attr-name class-name="User"> 
<nds-name>personalTitle</nds-name> 
<app-name>55021</app-name> 

</attr-name> 


If you are using or upgrading to GroupWise 6.5: 


<attr-name class-name="User"> 
<nds-name>company</nds-name> 
<app-name>50310</app-name> 

</attr-name> 

<attr-name class-name="User"> 
<nds-name>Initials</nds-name> 
<app-name>50322</app-name> 

</attr-name> 

<attr-name class-name="User"> 
<nds-name>Generational Qualifier</nds-name> 
<app-name>50323</app-name> " "1 

</attr-name> 

<attr-name class-name="User"> 
<nds-name>personalTitle</nds-name> 
<app-name>50324</app-name> 

</attr-name> 


13 In Novell iManager, click eDirectory Administration > Modify Object. 
14 Specify the driver object’s name, then click OK. 


15 Scroll down to the Startup Option section, click Auto Start, then click OK. 


IMPORTANT: When working with Distribution Lists, you must change all instances of the Groups attribute to 
Distribution DN in all style sheets. Previous versions of the driver supported the Groups attribute; however, 
the 2.1.1 version of driver does not support this attribute. 


If you are upgrading the driver on the Windows platform, the installation program removes gwadj1.dll and 
replaces it with gwadj2.dll. You should search the system where the driver resides for additional copies of 
gwadj1.dll and delete these files (do not delete copies of this file that reside in the ConsoleOne® directory.) If 
both versions of the DLL exist, the driver uses the older version. 
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